SAP security involves all the tools, processes, and controls set in place in order to restrict what users can access within an SAP landscape. This helps ensure that users only can access the information they need to do their job, while keeping them away from sensitive procedures and confidential information like financial records, which pose the risks of fraud, data breaches and compliance violations.
SAP Security is required to protect SAP Systems and Critical Information from Unauthorized Access in a Distributed Environment while accessing the system locally or remotely. It covers various Authentication Methods, Database Security, Network and Communication Security and protecting standard users and other best practices that should be followed in maintaining your SAP Environment. In a SAP Distributed Environment, there is always a need that you protect your critical information and data from unauthorized access. Human Errors, Incorrect Access Provisioning shouldn’t allow unauthorized access to system and there is a need to maintain and review the profile policies and system security policies in your SAP environment.
Secure Network Communication (SNC) can also be used to login to an application server using secure authentication method. You can use SNC for user authentication via SAP GUI for windows or by using an RFC connection. The SNC uses an external security product to perform the authentication between the communication partners. You can use security measures like public key infrastructure PKI, and procedures to generate and distribute key pairs.
Single Sign-On (SSO) is one of the key concepts that allows you to login to one system and you can access multiple systems in the backend. SSO allows the user to access software resources across SAP systems in the back-end.
SAP Internet Transaction Server (ITS) was the first approach of SAP to extend business applications to a Web Browser or the Internet by converting SAP dynpro screens into HTML format making it possible to access SAP systems with user-friendly Web technology. SAP ITS as middleware component provides Web access for several SAP products like SAP ERP, SAP Supplier Relationship Management (SRM), SAP Employee Self Services (ESS), SAP Enterprise Buyer Professional (EBP).
The SAP Cryptographic Library is the default security product for performing encryption functions in SAP systems. For example, you can use it for providing SNC.The SAP Cryptographic Library provides the entire functionality defined in the standard interface of Generic Security Services Application Programming Interface Version 2 (GSS-API V2).
 T-code stands for Transaction Code. A transaction code consists of letters, numbers, or both. You enter transaction codes in the command field. You use a transaction code to go to any task in an SAP application faster. By entering a transaction code instead of using the menu, you go to a task and start the function in a single step.
SAP Security Transaction Codes and description Read : Check ALL SAP Modules Interview Questions and Answers
                      Table         Description        Functional Area
USR Tables: AGR Tables (Related to roles): Developer Key Table: Transport Requests: Email id for users: Other Tables:
SAP system transactions may be defined to run as any of the following Internet applications: Web transactions (IACs) WebRFC or WebReporting Transactions that are delivered with the SAP system are defined in one of the categories listed above. When developing your own transactions, develop them according to the needs of the transaction. For example, when defining Web transactions, you can change the screen layout to meet your own needs. Defining Web Transactions (IACs) SAP system transactions may be accessible as IACs (also known as Web transactions). In this case, executed transactions find all of the information they need for the front-end presentation layer in its own service file and templates. This includes the transaction code that must be started in the SAP system (defined with the parameter ~transaction in the service file). Declaring Services that Use WebRFC The IT’S also supports RFC-based access to the SAP system using WebRFC or WebReporting, which is based on WebRFC. Only those WebRFC or WebReporting modules that have been specifically developed for an Internet access scenario can be accessed from the Internet.
Any physical network architecture completely depends on the size of your SAP System.A SAP System is commonly implemented with client-server architecture and each system is commonly divided into the following three layers: When your SAP system is small, it may not have a separate application and database server. However, in a large system, many application servers communicate with a database server and several frontends. This defines the network topology of a system from simple to complex and you should consider different scenarios when organizing your network topology.
SAP has provided the TMS (Transport Management System) as an environment for coordinated customizing and team development that protects the modification of objects and settings across a SAP landscape. Unfortunately the TMS is a facet of the SAP enterprise that is often under secured.When security fails at this level it is typically because System landscape settings are not properly configured. Repairs are freely allowed. There are no filters that control which objects are being transported. Authorizations are not completely implemented. Transport monitoring is not a periodic task.
SAP’s standard Secure Store and Forward provides the required support to protect SAP systems data and documents as independent data units. You can use the SSF functions to “wrap” SAP systems data in secure formats before the data are transmitted over insecure communications links. These secure formats are based on public and private keys using cryptographic algorithms. While SAP provides a Security Library (SAPSECULIB) as a software solution for digital signatures as well as standard support for SSF in certain application modules such as PDM or Archive Link, a high degree of protection is achieved only when private keys are secured using hardware devices such as smart cards.
The GRC (Governance, Risk, and Compliance) tools from SAP offers a complete suite of tools to control and manage risk. SAP GRC Access Control delivers a comprehensive access control facilities and helps companies to define and monitor Segregation of Duties (SOD), profile management, and compliance. In SAP’s risk detection module, SAP’s applications for Access Control detect access and authorization risks across SAP applications. Access control also prevents new risks from entering the system
A critical component is what I call the “Internet level,” which addresses the interactions that take place between a SAP system and browsers, Web servers, SAP Web Application Server, ITS, SAP EP, firewalls, and so on When security fails at this level it is typically because As a result you see many types of attacks on Web servers that might make systems unavailable or compromise critical information. There are thousands of Internet security incidents and break-ins reported; some of them make the CNN headlines. There are dozens of books and hundreds of Web sites covering security, hacking, and protection software. It is the job of the Basis administrator, Network administrator, and Web administrator to set in place a system design for implementing the best security measures that protect against attacks to the SAP systems that are tightly connected to the Internet. A comprehensive security strategy limits access at each of these security layers to only authorized users and/or authorized external systems.
If the security products use an address book for holding the public keys just in the case of the private keys, then the files must be protected from unauthorized access or modifications. An alternative is to use certificates that are issued by a trusted Certification Authority (CA) to grant the authenticity of those certificates. There are several countries that have regulated the use of cryptography and digital signatures. However, these rules or laws frequently generate a big amount of controversy and even change. Some countries already accept the digital signatures as a valid proof of obligation and therefore digital signatures can be used for secure business.
SAP security services must guarantee the integrity, confidentiality, and authenticity of any type of business documents such as electronic files, mail messages, and others. At this level SAP provides Secure Store and Forward (SSF) mechanisms, which include digital signatures and digital envelopes based on public key technology. And these mechanisms can be deployed using external security services like digital certificates and digital envelopes. When security fails at this level it is typically because: Certificates and encryption are not used/implemented. Private keys are not properly protected. There is scarce tracing and monitoring. As a result you see documents intercepted by unauthorized persons or access to confidential information. It is the job of the Basis administrators and expert security consultants with the help of the legal department to define and implement secure mechanisms like encryption methods for protecting the secure transfer of documents.
If you understand the security components and infrastructure, there is a lot you can do to improve SAP systems security without compromising normal users’ operation. You can improve security by
The Business Transaction Analysis (Transaction STAD) delivers workload statistics across business transactions (that is, a user’s transaction that starts when a transaction is called [/n….] and that ends with an update call or when the user leaves the transaction) and jobs.
A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles. Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role. Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group. The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.
 An authorization object is a group of authorization fields and is related to a particular activity, while authorization object class comes under authorization class and is grouped by function areas.
Transaction code SM12 is used to manage lock entries.
Maximum number of profiles in a role is 312, and maximum number of object in a role is 150.
SOD means Segregation of Duties; it is implemented in SAP in order to detect and prevent error or fraud during the business transaction. For example, if a user or employee has the privilege to access bank account detail and payment run, it might be possible that it can divert vendor payments to his own account.
The audit information system (AIS) is an auditing tool that you can use to analyze security aspects of SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP system
The PFCG time dependency is nothing but a report which is normally used for comparison of the user master. The PFCG Time dependency also makes sure to wipe away any profiles from the main record which seem to have expired and are of no use. There is also a transactional code which can be employed in order to execute this particular action. The transactional code which is used to do this is PFUD.
We can get the user list by using SM04/AL08 transaction code.
Using SM37 transaction code we can check the background jobs.
 USOBT_C consists of the authorization tables which contains the authorization data which are relevant for a transaction. On the other hand, USOBX_C tells which authorization check is to be executed or not within a transaction.
There are a lot of important and essential tabs which are present in the PFCG. The following tabs are included in the PFCG. The first is the description tab. This tab is essential for describing any changes which are made such as the details which are related to any role. Mentioning if there are any additions or removing of any transactional codes. Also mentioning if there are any changes in the authorization object and many more. Second is the menu tabs. It is essential to design the user menu such as addition of any transactional codes. The third id the authorization tabs. This tab is used for the maintenance of the authorization profile and authorization data. The third is the user. This tab is used for any adjustment in the main user record and for assigning the users to any roles.Â
The t-code SU25 is used to copy the data from tables USOBT and USOBX to tables USOBT_C and USOBX_C. Generally, this t-code needs to be executed after the installation of system upgrade so that the values in customer tables are updated accordingly.
 To find out who has deleted users in the system, first debug or use RSUSR100 to find the info. Then run transaction SUIM and download the Change documents.
Authorization groups are the units comprising of tables for common functional area. Generally, each table is assigned to a authorization group due to this reason we need to mention the value of authorization group while restricting the access to table in authorization object S_TABU_DIS. The authorization group can be created by using the t-code SE54. The assignment of tables to authorization group can be checked by using table TDDAT.
The following authorization objects are required to create and maintain user master records: S_USER_GRP: User Master Maintenance: Assign user groups S_USER_PRO: User Master Maintenance: Assign authorization profile S_USER_AUT: User Master Maintenance: Create and maintain authorizations
This authorization object is used to provide the access to tables on row level. The values for parameters can be checked by using the t-code RSPFPAR. After executing the t-code, give the parameter name and click on execute.
What is SAP Security??
Can you explain SNC in SAP Security??
What is SSO in SAP Security??
What is SAP Internet Transaction Server??
What is SAP Cryptographic Library??
What is T code??
What are some AP Security T Codes??
What are the most used tables in SAP??
What are the different types of SAP Security Tables?
Can you explain SAP System transactions?
Can you explain Network topology in SAP Systems?
Can you explain Transport System-Level Security?
Can you explain Secure Store and Forward?
What is SAP’s GRC?
Can you explain Internet-Level Security?
Can you explain Protecting Public Keys?
Can you explain Document Transfer-Level Security?
How Can SAP Security Be Improved?
What is STAD?
Can you explain Composite Role?
What is the difference between authorization object and authorization object class?
Which transaction code is used to manage lack entries?
What is the maximum number of profiles in a role and maximum number of object in a role?
What is SOD in SAP Security?
What is Audit Information System?
What is PFCG Time dependency?
How can you get the user list in SAP?
How do you check background jobs?
What is the difference between USOBT_C and USOBX_C?
What are the different types of tabs that are present in the PFCG?
What is the use of SU25 t-code?
How to find out who has deleted users in the system?
What are the authorization groups and how to create them?
What authorization is required to create and maintain user master records?
What is the use of authorization object S_TABU_LIN?
Questions are really good
Please post SAP GRC questions if possible